Last week, malware compromises online stores, accidents lead to expensive data breaches, and phishing scams top the UK’s threat list.
United States - Hanna Andersson
Exploit: Malware attack
Hanna Andersson: Children’s clothing maker
Risk to Small Business: 2.222 = Severe: Cybercriminals infected Hanna Andersson’s online store with payment skimming malware that collects customers’ personally identifiable information. The breach impacted customers shopping between September 16 and November 11, 2019. The company only identified the breach after being notified by law enforcement, and the consequences were exacerbated because Hanna Andersson failed to follow PCI standards for payment card encryption and CVV management. As a result, the company will likely face both customer blowback and regulatory scrutiny, neither of which will help the business thrive.
Individual Risk: 2.285 = Severe: Hackers obtained customers’ personal and financial data entered at checkout. This includes their names, shipping addresses, billing addresses, payment card numbers, CVV codes, and expiration dates. Unfortunately, it appears that some customers were already victimized by hackers, as law enforcement identified the breach because of fraudulent purchases made online using these credentials. Therefore, anyone impacted by the breach should immediately notify their financial institutions of the event. They also need to carefully review their account details for unusual or fraudulent activity. Credit and identity monitoring services can keep an eye on long-term misuse, ensuring that victims’ information remains secure even after the urgency of the matter has decreased.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: Customers and companies are increasingly unwilling to partner with organizations that can’t secure their data. Consequently, avoidable data breaches are an especially egregious way to compromise a company’s long-term viability. Inevitably, mistakes will be made, but identifying those errors and making corrections before hackers can capitalize on the information is critical to any defensive posture.
United States - Health Quest
Exploit: Phishing scam
Health Quest: Network of hospitals and healthcare providers
Risk to Small Business: 1.666 = Severe: Health Quest is updating its data breach announcement from an event that initially occurred in July 2018 when several employees fell for a phishing attack that compromised patients protected health information (PHI). In the attack, employees provided their email account credentials to hackers who used their information to access patient data. The hospital sent breach notifications in May 2019, but the latest announcement expands the depth and scope of the breach. However, it’s unclear why it took the company nearly a year to issue the initial notification and another year to update their assessment. Healthcare breaches are the most expensive of any sector, and Health Quest will likely endure high recovery costs along with intense regulatory scrutiny.
Individual Risk: 2.142 = Severe: REMOVE
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: After the breach, Health Quest announced that it would implement two-factor authentication to secure employee accounts and is instituting employee awareness training to guard against future phishing attacks. Unfortunately, these efforts won’t recover any compromised data, and it won’t mitigate the damage from this breach. To protect data, these highly effective defense tactics need to be deployed before a breach occurs.
United States - The Center for Neurological and Neurodevelopment
Exploit: Phishing scam
The Center for Neurological and Neurodevelopment (CNNH): Healthcare provider
Risk to Small Business: 1.777 = Severe: Hackers gained access to an employee account containing patients’ protected health information. The unauthorized access lasted for more than a month, occurring between October 7, 2019 and November 22, 2019. In response, CNNH secured the account and hired a third-party forensics team to investigate the breach. However, the diagnosis is unlikely to be positive, and the company likely faces an expensive road ahead.
Individual Risk: 2 = Severe: The data breach doesn’t include all CNNH patients, but hackers did have access to patient data contained in the employee email account. This could include patient names, addresses, dates of birth, health insurance information, medical/patient record numbers, and treatment information. CNNH encourages all victims to closely monitor their accounts and insurance statements to check for fraudulent activity and to notify their insurance providers if they discover false charges.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: CNNH secured the account by resetting its credentials and is updating company-wide email standards by enabling two-factor authentication and updating employee training initiatives. These simple data security measures should be standard at every company, and they have to be implemented before a breach occurs. With the cost and consequences of a breach continually increasing, companies can’t afford to wait until it’s too late to take steps to protect their data.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Phishing Tops UK Cyber Threat Landscape
Today’s companies face a litany of cybersecurity threats, but, according to the results of a new study, none are more prevalent than phishing attacks. The study, which surveyed UK ICO reports, found that there were 1,080 phishing-related beaches in 2019, a significant increase from 877 the year before. In total, phishing attacks caused 45% of all data breaches. While other notable causes like unauthorized access, ransomware, and brute force password attacks run rampant, none are even close to as prominent as phishing attacks.
This trend reflects cybercriminals’ desire to target employees and individuals who may not be prepared to identify and respond to the innocent-looking messages that frequently arrive in their inboxes. In response, companies can focus their defense initiatives to combat this trend. Employee awareness training is a proven way for companies to transform their employees from a potent risk to a proven line of defense against cybercrime.
To get help implementing comprehensive employee awareness training, contact ID Agent to learn more about how our simulated phishing attacks can equip your employees to respond to this prominent threat.
A Note From Kobargo
Data Privacy Fines Reach $126 Million
It’s been just over a year and a half since GDPR’s implementation, and the fines are starting to add up. According to the latest report, the expansive data privacy regulation has levied $126 million in penalties on companies throughout Europe. To some, the fines are relatively modest, a reminder that regulatory oversight can be slow to impact businesses’ bottom lines. However, others see the figure as an ominous reminder that data privacy failures won’t come without consequences.
At the same time, Europe isn’t the only place imposing financial penalties on companies that can’t protect customer data. California's Consumer Privacy Act and New York’s SHIELD Act both carry monetary penalties. In 2020, it’s clear that regulation is going to become more normative, not less, and businesses need to prepare. Contact ID Agent today to improve your defensive posture and avoid regulatory fines resulting from a breach.